:clapclap: :metal:I suggest that you use a new account for forums so people do not see your login name..... I said this when regnum was still in beta... but im saying it again, because someone I know got hacked... and lost their account..

I dont really understand this question but i guess regnum is pretty secure :huh:

Regnum is never secure as long as DM is running around in it ;)

No secure at all... Packages aren't ciphered, for instance.

Not secure I think, but why would somebody hack Regnum?

No secure at all... Packages aren't ciphered, for instance.

What would be the use of that? As far as I can see, the client verifies the local installation every time you start. I guess it computes some kind of hash value for the every file and compares that to the values stored on the server. If there are differences, it downloads the files again, now problem here.

If you think about signing the installation package (windows only, linux users just download the launcher) with some kind of certificate, I never really understood why this would help. I mean, how many people really do think twice if windows says "This file is not signed, it may not be safe" or whatever the real text is, and click on "Run anyway"? And publishing hash values of the installer on the web site doesn't help because if you are able the redirect the download to a site of your own, you can surely adjust the values accordingly. And you wouldn't get past the check/download procedure mentioned above anyway.

Going back to the original question, I think think the only real security issue Regum has is the same that all account-based application/games/web sites have: social engineering. That means getting other people to tell you your account data including the password. This is why there is a bold red text every time you start the game that tells you not to give your password to anyone.

Edit: added a few more thoughts

Not secure I think, but why would somebody hack Regnum?

For the same reasons people hack other stuff. To gain an advantage, to make money or just for the fun of it. The last reason is actually a very good one as those people tend to report what they found to the developers so they can fix them.

Regnum is never secure as long as DM is running around in it ;)
wrong im your best friend..... I suggest that you use a new account for forums so people do not see yoru login name..... I said this when regnum was still in beta... but im saying it again, because someone I know got hacked... and lost their account..

DM, was their password a word that could be found in a dictionary list?

NGD, the forum has a 15 minute lockout if you fail the password 5 times - does the main website (and the game server) have anything to stop a dictionary-list or brute-force attack in a similar way to this?

I've tried SQL injection against my own account but couldn't force my way in through the main site or via the client app's login system.

To me, the biggest risk is with someone releasing a 0-day hack for vBulletin and for someone to leech all the passwords, converting the hash back to the original password using an MD5 string database (for example) - mainly because I've known sites that have had this happen to them.

I guess it computes some kind of hash value for the every file and compares that to the values stored on the server. If there are differences, it downloads the files again, now problem here.

Yes, Regnum find changed files very good. But if you write protect the changed file, Regnum shows an error message and start with the changed file without problem. So you can hack files and use them!

What would be the use of that? As far as I can see, the client verifies the local installation every time you start. I guess it computes some kind of hash value for the every file and compares that to the values stored on the server. If there are differences, it downloads the files again, now problem here.

Uhm... Now that I read my reply I made a mistake... Packages were the Packets the client sends to the server to communicate. They're in plain text AFAIK. Ciphered packets would help to make the game more secure.

Sorry, I confused packages with packets (translation to Spanish would be: enpaquetados with paquetes xD). My fault.

Going back to the original question, I think think the only real security issue Regum has is the same that all account-based application/games/web sites have: social engineering. That means getting other people to tell you your account data including the password. This is why there is a bold red text every time you start the game that tells you not to give your password to anyone.

Edit: added a few more thoughts

Nowadays, it's almost impossible to break security in most of the cases, but there's always a way and it's social engineering. I could get my school's wi-fi lan passkey which was secured with wpa-psk just asking some questions to my teachers. Of course it has nothing to do (and I used it to send some mails xD), but you can do the exact same thing to retrive the user and pass from anyone in the game. Unfortunately, this will keep happening because there's a large number of innocent-minded players that trust everyone.

:clapclap: :metal:I suggest that you use a new account for forums so people do not see your login name..... I said this when regnum was still in beta... but im saying it again, because someone I know got hacked... and lost their account..
I suggest that you make anonymous polls. xD

EDIT: my fault. my bad english... :(

SuraK: encrypt SOMETHING

Yes, Regnum find changed files very good. But if you write protect the changed file, Regnum shows an error message and start with the changed file without problem. So you can hack files and use them!
right... or you can use old update in new version/new version for exp server in normal server

Uhm... Now that I read my reply I made a mistake... Packages were the Packets the client sends to the server to communicate. They're in plain text AFAIK. Ciphered packets would help to make the game more secure.

Ok, that makes a lot more sense and I agree with it. You can see a lot of information when running packet analyzers like wireshark while playing. It's not all plain text, but what is not would be easy to figure out if you have enough time to spare.

But what I ask myself here is: "Is this a security issue?" I do not think so. It possibly makes life easier for cheaters, but it does not compromise anyone's account data (username/password combination).

One more thought on security: It's not an on/off or black/white thing. You have to define what you want to secure and against what. This is always a compromise between cost of implementation and cost of not implementating.

This is why I do not vote here as there is not thing as "very secure" or "not secure at all". Security is always something in-between. Unless you define what you want to secure and against what, you can't really give a reasonable answer.

God you guys sure are anal about security. Who cares, its a game.
Choose a good password, thats enough and totally up to you.
If you get hacked, who could use your account anyways? You'd lose your stuff, and be completely at fault yourself if you choose a lame password.

God you guys sure are anal about security. Who cares, its a game.
Choose a good password, thats enough and totally up to you.
If you get hacked, who could use your account anyways? You'd lose your stuff, and be completely at fault yourself if you choose a lame password.

uhm start the game and run a 'ps auxww' or similar (im sure windows is affected too)
the game is launched with the username and the hashed password as commandline switches.

So any other user on your system or any other running application can grab your login.

Then the unencrypted network traffic and packages could be a problem too but i havent looked into it.

For some reason i also doubt the coding quality when it comes to buffer overflows and similar methods of remote code execution.
I can imagine there arises a lot of trouble when someone does some security-auditing

This poll needs a third option, because your accountname is indeed visible, but this only means you can get "hacked" if your password is too easy. All the pressure is on the password. The stronger the password, the safer you are. But I see no reason a real hacker would steal someones account? Those people usually have more interesting things to do :biggrin:

well that's the issue here, 2 words come to mind: script kiddies ;)

The simplest way to stop password de-hashing using a db is to do something like MD5(username + password) or MD5(username + MD5(password)).

It will add a few magnitudes of difficulty to the process of getting at the password.

The network stuff is scarily scant....

hakers r every where these days this 1 in youtube tried to hack but he got a bunch of viruses :lol: illigal defence mailed him a virus 4 pay back the only sucureness we get from our user name is that we dont use it game but hackers will look 4 us a forums and u can gues passes 4 ever so i goood hacking program can hack anyone in 5mins at most i know this from playing runescape a game in wich hacking is everysingle god danm day and if ur not with them they are aginst u but im not like that p.s some idiot made a tread asking for a hack for regnum morons like him are just BS real hackers use sht like him so ppl ignore wahts coming becareful in youtube look in my favorites i think i got an anty hacker thing if they send u a keylogger they get constant spam and my password is the same for everything because its alt codes i sugjest more ppl use this

i feel regnum to be very secure as long as you have a good anti virus and a strong password try a alphanumeric password not just letters or numbers.

try using both and you account will be safe :p

update your anti virus once a week that will also help :p


Regards

The simplest way to stop password de-hashing using a db is to do something like MD5(username + password) or MD5(username + MD5(password)).

It will add a few magnitudes of difficulty to the process of getting at the password.

The network stuff is scarily scant....

that would add exact 0 security because the username is known. The proper way is salting (http://en.wikipedia.org/wiki/Salting_(cryptography)).
I dont know which hash is used, but md5 is broken for a while now and unsalted md5 is broken since decades.
anyway you dont need to dehash the password because you can start the game only with the username and hash.


i feel regnum to be very secure as long as you have a good anti virus and a strong password try a alphanumeric password not just letters or numbers.

alphanumeric are letters and numbers only, you mean non-alphanumeric.
but your point is right. Put some special characters in you password and its way harder to be brute forced.
But if your hash gets stolen or your password get scammed/phished/sniffed ... then it doenst help you to have the best password in the world.
(i wont comment on antivirus)

Remember, there is no perfect security. you can only raise the bar as high as you can

that would add exact 0 security because the username is known. The proper way is salting (http://en.wikipedia.org/wiki/Salting_(cryptography)).
I dont know which hash is used, but md5 is broken for a while now and unsalted md5 is broken since decades.
anyway you dont need to dehash the password because you can start the game only with the username and hash.




alphanumeric are letters and numbers only, you mean non-alphanumeric.
but your point is right. Put some special characters in you password and its way harder to be brute forced.
But if your hash gets stolen or your password get scammed/phished/sniffed ... then it doenst help you to have the best password in the world.
(i wont comment on antivirus)

Remember, there is no perfect security. you can only raise the bar as high as you can
Well said Twix:biggrin: